Stateful Load Balancer with iptables and NAT

Allow IP forwarding

(Note: if your testing this on the same box your doing this on it won’t work, you need at least 3 machines to test this out, virtual ones work nicely)

First we enable ipv4 forwarding or this will not work:

# echo "1" > /proc/sys/net/ipv4/ip_forward

XOR

# sysctl net.ipv4.ip_forward=1

next we add a filter that changes the packets destination ip and allows us to masquerade:

# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.0.0.3:80
# iptables -t nat -A POSTROUTING -j MASQUERADE

The above filter gets added to iptables PREROUTING chain. The packets first go through the filters in the PREROUTING chain before iptables decides where they go. The above filter says all packets input into eth0 that use tcp protocol and have a destination port 80 will have their destination address changed to 1.2.3.4 port 80. The DNAT target in this case is responsible for changing the packets Destination IP address. Variations of this might include mapping to a different port on the same machine or perhaps to another interface all together, that is how one could implement a simple stateful vlan (in theory). Continue reading “Stateful Load Balancer with iptables and NAT” »

Share

NFS Firewall

Dynamic ports cannot be protected by port filtering firewalls such as iptables. First, you need to configure NFS services to use fixed ports. Open /etc/sysconfig/nfs, enter:

# vi /etc/sysconfig/nfs

Modify config directive as follows to set TCP/UDP unused ports:

# TCP port rpc.lockd should listen on.
LOCKD_TCPPORT=lockd-port-number
# UDP port rpc.lockd should listen on.
LOCKD_UDPPORT=lockd-port-number 
# Port rpc.mountd should listen on.
MOUNTD_PORT=mountd-port-number
# Port rquotad should listen on.
RQUOTAD_PORT=rquotad-port-number
# Port rpc.statd should listen on.
STATD_PORT=statd-port-number
# Outgoing port statd should used. The default is port is random
STATD_OUTGOING_PORT=statd-outgoing-port-number

Continue reading “NFS Firewall” »

Share

Enable 1:1 NAT in Iptables

1:1 NAT maps a single Public IP Address to one of your computer within your local area network (LAN). Unlike port forwarding, 1:1 NAT forwards all ports from one external IP to one internal IP.

iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.2 -j SNAT --to-source 83.229.64.2 iptables -t nat -A PREROUTING -i eth0 -d 83.229.64.2 -j DNAT --to-destination 192.168.1.2 iptables -A FORWARD -s 83.229.64.2 -j ACCEPT iptables -A FORWARD -d 192.168.1.2 -j ACCEPT
Share

How to enable Port Forwarding in Iptables

Port forwarding allows remote computers, for example, computers on the Internet, to connect to a specific computer or service within a private local area network (LAN).
Typical applications include the following:

  • Running a public HTTP server within a private LAN
  • Permitting Secure Shell access to a host on the private LAN from the Internet
  • Permitting FTP access to a host on a private LAN from the Internet

In Linux, you can configure port forwarding using iptables command.
The below example is to enable the port forwarding of port 80 of the external ip address “83.229.64.2” to the port 80 of the computer inside the LAN with the ip address of “192.168.1.2”.

iptables -t nat -A PREROUTING -i eth0 -d 83.229.64.1 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.2:80 iptables -A FORWARD -p tcp --dport 80 -j ACCEPT
Share

Install Tomcat 6 in Debian

This article outlines a procedure for installing Tomcat 6 in Debian Lenny. Keep in mind that this does not include Apache 2 installation or integration. Apache must be installed separately and integrated to work with Tomcat.

Add following line in sources list-

nano /etc/apt/sources.list

deb http://ftp.debian.org/debian/ squeeze non-free
 

Update and install java

apt-get update
apt-get install sun-java6-jdk sun-java6-jre libtcnative-1

Ensure installed

java -version

Set JAVA_HOME

nano ~/.bashrc

Add the following at the end of the file: Continue reading “Install Tomcat 6 in Debian” »

Share